Would employees show up to a voluntary lunch and learn session on phishing, password tips, and two-step verification?
Contrary to the security awareness pessimists’ responses, they will. Of course there will not be 100 percent attendance. But what if voluntary sessions were hosted and roughly a third of the staff attended in person or attended remotely to learn about some of the most pressing issues we’re fighting with today.
What if the icing on the cake was a C-level employee staying after to ask questions about wireless and Java? And if that isn’t enough, after two sessions, a third session was offered for those who could not attend, but wanted to because of word-of-mouth.
No, this isn’t an information security made-for-TV-movie play on “Field of Dreams.” This happened.
As security professionals we sometimes struggle to communicate with our employees and provide them with actionable information to make behavioral changes. We know the dangers that exist and we put up as many barriers as we can to prevent breaches and get labeled as the department of, “no.” Or worse, the department of “do as I say, not as I do.”
While policies and restrictions within the company are very necessary, what happens when an employee goes home and is no longer under the enterprise protection you provide? Some may say, they don’t care, and if so, that viewpoint is shallow and does not contribute to the greater good in our industry. Besides, with bring your own device (BYOD) and remote workforce exploding, the corporate perimeter is dissolving. While we are paid to protect the enterprise, we can do so much more to promote security overall by providing information to our employees that they can act on in minutes.
Security teams are known for being stretched thin. How can we find time in our busy schedules to host events? Why do this at all if this is not directly related to the business? The answer is simple, it does relate to the business and here’s how.
Creating a security culture
Security awareness programs are more successful when security is part of the culture. Starting with security during a new hire’s orientation and on through to the mandatory (and voluntary) sessions, the security culture forms and strengthens. Hosting volunteer sessions reinforces the culture that security is not only important to the enterprise, but society in general.
Get employees to care by telling them what’s in it for them
Corporate security awareness programs should show the employees how it will benefit the business as well as their own interests. No employee wants his/her home computer pwned. Just the same as security does not want a corporate asset exploited through phishing. By providing employees with solutions they can use at home in minutes, you are enforcing good security practices that will carry over to the business.
Build cross functional relationships
There has been a noticeable gap between security technology professionals and employees. Often times there is little-to-no communication until there’s a security incident, and then it is a negative situation. However, educational sessions allow for security professionals to improve interpersonal, presentation, and communication skills as well as having fun. By keeping it informal and lighthearted, employees are able to see firsthand the security team in action and build the relationship.
How enterprise controls are better understood
For example, password controls continue to be a challenge for everyone. While there are solutions such as OneLogin and Okta for the enterprise, personal password managers outside of 1Password and LastPass aren’t well known or understood by less security savvy employees. These are the same people who need tips on how to better manage passwords to avoid reuse and simplicity. Likewise, many of the more popular social sites like LinkedIn, Twitter, Facebook, and Gmail offer two-step verification. But how many of the non-savvy employees are aware and using these solutions? When you share with employees how they can protect their Gmail account with two-step verification in less than 10 minutes they see firsthand that they are capable of improving their security and it was not hard. In turn, they will have a better understanding on internal controls and will be more accepting because they are doing this for their own personal benefit.
Change behaviors
Changing the behavior of an employee is a top priority. By providing employees with quick, simple steps they can take to deliver better protection for their accounts, we are helping to change their behavior, which is win-win.
When hosting training sessions, keep it simple and don’t overwhelm attendees. As information security professionals we have a lot of knowledge. But, keep it easy! A session focused on password tips and two-step verification is more than enough to provide attendees with information and then the steps they can take. If the session is too complex or requires a significant amount of time it won’t work. By limiting the agenda and keeping it simple, employees will take action. This does not need to be formal. Encourage sporadic questions, open dialogue and peer-to-peer communication, which will make the sessions more interactive and everyone will benefit.
Employees want to learn and are interested – host events, they will come!